“As used in this section, ‘personal information’ means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.”

That seems like a breathtakingly broad definition.

Observe that it considers any “account number” as an identifier that triggers the requirement for security in Section 1(a). Public Act No. 08-167 does not define “account number,” which can make for surprising results for all kinds of organizations that collect money, including small ones like neighborhood parent-teacher associations.

Surprising Case Example - Health Club Locker Number

For example, suppose a small health club keeps track of membership payments according to locker numbers, which are viewable in the locker room. That practice may be a mistake under Connecticut’s law because anyone walking through the locker room could learn that my locker number, i.e., my account number, is “57". That unit of identifying information might be misused by, say, a snoopy debt collector who is investigating how much I spend on luxuries like club membership. Knowing my name and locker number, he could telephone the health club and say, “This is Ben Wright, and my locker number is 57. Can you tell me how much I owe on my club membership this month?”

So, to say it in different words: This little health club has opened itself to a lawsuit in Connecticut by doing something (making account number and locker number the same thing) that would seem to be perfectly natural and insignificant to anyone but the most paranoid of lawyers.

Behavior Patterns as Identifiers?

Although Connecticut’s law itemizes some identifiers like “account numbers” and Social Security numbers, its definition of personal information reaches wider than the itemized list. The law regulates any and all “information capable of being associated” with a person through an “identifier.”

What kinds of information can be used to identify people by way of an “identifier?” What about patterns of behavior and patterns of social relationship? Could patterns of activity be “identifiers?” I don’t see why not.

Academic researchers have demonstrated that so-called anonymous data about human behavior can be used to identify individuals. For instance, researchers started with “anonymized” data from one Web 2.0 service, Twitter. From this data, they ascertained the identities of individual Twitter users. How did they do it? They drew on behavior data from another Web 2.0 service, Flickr. By comparing maps of relationships from unnamed Twitter users with maps of relationships for known Flickr users, the researchers uncovered the identities of the Twitter users!

From the perspective of privacy, this research is chilling.

Is All Data About a Person Private?

Responding to this research, a privacy advocate is naturally inclined to say that no one should keep any data about anyone.

While that response may be excessive, it does accurately reflect the privacy concern when anyone retains information about the patterns of behavior of individuals.

Another Case Example - Identifying People by Writing Style

So given how information about behavior patterns can serve as the “identifiers” of an individual . . . let's consider the following application of Connecticut law. Suppose a small nonprofit in Connecticut works with volunteers to develop and publish opinions on controversial civil rights topics, such as abortion or homosexual marriage. The organization attributes the opinions only to itself, without identifying the volunteers involved in writing them.

Sally is one of those writer volunteers. The organization publishes a controversial opinion based largely on prose composed by Sally. Could the organization be violating Connecticut law simply by publishing Sally’s written words? Logically, the answer could be yes. Here’s the logic . . .

Examples of Sally’s writing – on non-controversial topics – appear in association with her name in many public places such as blogs, libraries, Facebook pages, LinkedIn comments, letters to the editor and so on.

Research shows that people can be identified according to their writing style – syntax, word choice and so on. In fact, researchers today track “anonymous” terrorists according to the style of their writing, records and communication on the web.

Hence, when the civil rights organization publishes Sally’s words, even with her name removed, it is failing to safeguard her personal information. It is opening her to embarrassment and ridicule by people who disagree. Adversaries could analyze the patterns of behavior exhibited in the published words and ascertain that Sally is the author!

In other words, in the legislative terms of Public Act No. 08-167, the organization failed to protect her personal identifying information (i.e., the patterns of her unique writing style woven into her text) from being "misused" to criticize her personally.

What Does This Mean in Practice?

So what could the organization have done to comply with Connecticut law? Before publishing Sally's words, the organization could have removed from the words the “identifier” linking to Sally by hiring a team of third-party writers to rearrange the words into anonymous writing style.

Shiver my timbers. Thats a lot of work for a small nonprofit, just to comply with Connecticut privacy law. The regulation chills free speech. Is that really what the Connecticut legislature had in mind?

Society faces an emerging conflict between the civil right of privacy and the civil right of free speech.

Global Impact of Strange Legislation

Notice that the foregoing conundrums arise from legislation enacted by just one small US state. But in our Internet-connected world, the data privacy law of Connecticut can be applicable to the activities of an organization in Australia or Hong Kong. Further, nothing prevents the legislature of Arizona, Pennsylvania, Michigan or name-your-jurisdiction from adopting law that is similarly strange and broad in scope -- all the while using words and standards that differ from Connecticut's.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

This is a very interesting post, as with all areas of life these days, everthing seems to be covered in a lot of preverbial Security Tape tape which can be more hassle than the protection it provides is worth. The issue of security is a difficult one though, with mistakes made by trusted officials where sensitive information has been left on trains etc, there is of course the need to take precautions. But this Connecticut law seems to be twisting in circles around itself, and if it ends up limiting free speech for the sake of the vague possibilty of a threat to someone's privacy, it seems to me to be rather over the top. Especially when this person would have voluntarily written with the knowledge that their name would be tracable.

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.